Domain Join fails with univention-domain-join-cli from Ubuntu 22.04 Server

brix · October 25, 2023, 8:49am

Hi

Our Servers are in different VLANs, the Primary and Backup Domain Node are in the DMZ xxx.xxx.14.xx, and the Ubuntu Server I want to Join as Managed Node is in the WEB-Server VLAN xxx.xxx.12.xx. A ping from one server to the other works fine, the Routes/Rules are on the Firewall and all Ports allowed.

I think I made a misstake when I installed the Join Script, when it prompts some question. As it asked for the Domain Servers, I insert the FQDN with the Domain as [myDomServer].[myDomain].local and instead I think should just insert just the Hostname of the Server. I allready tryed to uninstall and purge the Join-Script, the Repo and to reinstall it to get the prompt again, but the prompt dosn’t come anymore and what I insert stays in the configuration of the script. I also tryed to find where these information was stored, but I didn’t find it.

However, when I’m trying to join the Domain with the Server, I get an error: An error occurred: The UCS master name [myDomServer].[myDomain].local can not be resolved, please check your DNS settings. in LOG is nothing more as the same Error message.

In the Univention Server I insert all Networks and in the DNS are all Zones registred, see pictures included. For Security reasons I masked the full IP, Host- and Domain.

UCS_Networks
UCS_DNS

So my question is, if I configured something wrong, or if I forgot to configure something somewhere on the Domain Servers?

Thank you in advance for your quick reply.

Best regards
Andrea

boospy · October 25, 2023, 7:29pm

How to you installed the jointools? Like this?

add-apt-repository ppa:univention-dev/ppa -n -y
DEBIAN_FRONTEND=noninteractive apt-get install univention-domain-join krb5-auth-dialog -y

brix · October 26, 2023, 5:43am

As described here:

So, not as you mentioning in your reply. I will give them a try.

Thanks

brix · October 26, 2023, 8:56am

Hi again

I gave them a try, but it didn’t work. The initial Dialog didn’t come up and I couldn’t reconfigure the Script.

Still get the Error Message.

Somebody some other Idea?

Thanks

jlk · October 26, 2023, 9:21am

Moin,

I have not worked on this component, but based on looking over the code briefly maybe the following can help.
If you call the script via the commandline (sudo univention-domain-join-cli) instead of the GUI there is the option to explicitly supply a domainname or the IP to join against:

github.com

univention/univention-domain-join/blob/ubuntu22.04/scripts/cli.py#L114C26-L113C26

    
      
          parser.add_argument('--domain', help='Domain name. Can be left out if the domain is configured for this system')
          parser.add_argument('--dc-ip', help='IP address of the UCS domain controller to join to. Can be used if --domain does not work. If unsure, use the IP of the UCS Master', metavar="IP")

Best regards
Jan-Luca

brix · October 26, 2023, 9:29am

Hi Jan-Luca

Thanks for your Input.

It is a Ubuntu Server without GUI, so it happens everything on CLI and I allready set he Arguments --domain as well --dc-ip and dosn’t helps.

Best regards
Andrea

brix · October 26, 2023, 9:32am

…to complete the information, these is the command I use to do the join:

sudo univention-domain-join-cli --username [myUserWithAdminRights] --password [myPassword] --skip-login-manager --domain [myDomain].local --dc-ip [IPofPrimaryNode]

jlk · October 26, 2023, 10:37am

Can you try it again with only the IP? The initial DNS error should be solved if there is no name to resolve.

brix · October 26, 2023, 11:21am

Can you try it again with only the IP? The initial DNS error should be solved if there is no name to resolve.

Allready tryed, dosn’t work either. Same Error.

jlk · October 26, 2023, 12:26pm

Well, does the resolving work in general? Can you try the following:

dig <myDomServer>.<myDomain>.local @<IP of Primary> +short
dig <myDomServer> @<IP of Primary> +short

brix · October 26, 2023, 1:03pm

It seams to resolve:

dig [myHost].[myDomain].local @xxx.xx.14.xx

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> [myHost].[myDomain].local @xxx.xx.14.xx
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48877
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ae92ad66ff0834505590a7c1653a6128add137cbd214967b (good)
;; QUESTION SECTION:
;[myHost].[myDomain].local.       IN      A

;; ANSWER SECTION:
[myHost].[myDomain].local. 900    IN      A       xx.xx.14.xx

;; AUTHORITY SECTION:
[myDomain].local.             900     IN      NS      [myBackupNode].[myDomain].local.
[myDomain].local.             900     IN      NS      [myHost].[myDomain].local.

;; ADDITIONAL SECTION:
[myBackupNode].[myDomain].local. 900    IN      A       xxx.xx.14.xx

;; Query time: 0 msec
;; SERVER: xxx.xx.14.xx#53(xxx.xx.14.xx) (UDP)
;; WHEN: Thu Oct 26 14:53:06 CEST 2023
;; MSG SIZE  rcvd: 153

Additional I want to mention taht I don’t use the root for the join and that I disabled Remote Login for root User.

Meanwhile I also set up a 2nd Ubuntu Serevr to test more things, and I also tryed to move it from the VLAN 12, where the real server is situated, to the same VLAN 14 as the Domain Nodes. Same Error.

brix · October 31, 2023, 10:09am

I was now able to join the Domain with the Test-Server. I just had to modify the /etc/resolv.conf and add the Domain and DNS Servers manually. After that, the Join Script worked fine.

But now i have the Problem that it generated a simple “Ubuntu” Object and I don’t see it as a Member Server/Managed Node and use it for Shares. I moved the Object in LDAP to [myDomain].local:/computers/memberserver, but it didn’t help. So I have to change the Type to “Managed Node” but I can only create such an object, but can’t change the joined Server.

Somebody know how to do that?

Thanks
Andrea